Malware Analysis Report

2024-10-18 23:41

Sample ID 240813-hab3watdlp
Target b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b
SHA256 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b
Tags
amadey stealc 0657d1 kora nord discovery evasion persistence stealer trojan credential_access
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b

Threat Level: Known bad

The file b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b was found to be: Known bad.

Malicious Activity Summary

amadey stealc 0657d1 kora nord discovery evasion persistence stealer trojan credential_access

Stealc

Amadey

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Identifies Wine through registry keys

Adds Run key to start application

AutoIT Executable

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of SetWindowsHookEx

Uses Task Scheduler COM API

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-13 06:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-13 06:31

Reported

2024-08-13 06:34

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\e5cf423e52.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\e5cf423e52.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4228 set thread context of 2328 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 set thread context of 4920 N/A C:\Users\Admin\1000037002\a65be0d694.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\13a21bf0df.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\a65be0d694.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2924 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2924 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 5032 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe
PID 5032 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe
PID 5032 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe
PID 4228 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4228 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4228 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4228 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4228 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4228 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4228 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4228 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4228 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4228 wrote to memory of 2328 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5032 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\a65be0d694.exe
PID 5032 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\a65be0d694.exe
PID 5032 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\a65be0d694.exe
PID 2636 wrote to memory of 4920 N/A C:\Users\Admin\1000037002\a65be0d694.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 4920 N/A C:\Users\Admin\1000037002\a65be0d694.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 4920 N/A C:\Users\Admin\1000037002\a65be0d694.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 4920 N/A C:\Users\Admin\1000037002\a65be0d694.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 4920 N/A C:\Users\Admin\1000037002\a65be0d694.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 4920 N/A C:\Users\Admin\1000037002\a65be0d694.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 4920 N/A C:\Users\Admin\1000037002\a65be0d694.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 4920 N/A C:\Users\Admin\1000037002\a65be0d694.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2636 wrote to memory of 4920 N/A C:\Users\Admin\1000037002\a65be0d694.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 5032 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\13a21bf0df.exe
PID 5032 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\13a21bf0df.exe
PID 5032 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\13a21bf0df.exe
PID 2328 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2328 wrote to memory of 2132 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2132 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2132 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2132 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2132 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2132 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2132 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2132 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2132 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2132 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2132 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2132 wrote to memory of 924 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe

"C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\a65be0d694.exe

"C:\Users\Admin\1000037002\a65be0d694.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\13a21bf0df.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\13a21bf0df.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1912 -parentBuildID 20240401114208 -prefsHandle 1840 -prefMapHandle 1832 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {98f318d0-238f-4f11-b5d4-ae97eb9992a6} 924 "\\.\pipe\gecko-crash-server-pipe.924" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {00428ba7-5044-4d01-aa7e-d9d5203989cb} 924 "\\.\pipe\gecko-crash-server-pipe.924" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2976 -childID 1 -isForBrowser -prefsHandle 2916 -prefMapHandle 2888 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37e94fc3-12af-44c8-99b9-79e5bd2e3065} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2700 -childID 2 -isForBrowser -prefsHandle 3644 -prefMapHandle 3640 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {42bcaee0-3913-416d-9b03-df8c657b90fc} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4484 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4496 -prefMapHandle 4472 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7037ef16-f0ee-4877-b9f8-4fc5f00e9135} 924 "\\.\pipe\gecko-crash-server-pipe.924" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5164 -childID 3 -isForBrowser -prefsHandle 5096 -prefMapHandle 5128 -prefsLen 27050 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {898692df-d495-4460-bfe0-c155904252c5} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 4 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 27050 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e514d63-fddd-451f-99b8-3957989e4c68} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 5 -isForBrowser -prefsHandle 5144 -prefMapHandle 5136 -prefsLen 27050 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dca09e17-13f3-4b09-ac95-c43e05bf4a41} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6000 -childID 6 -isForBrowser -prefsHandle 5940 -prefMapHandle 5908 -prefsLen 27181 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {46b8dd2d-9d12-420e-a5bf-4bd745c34dd8} 924 "\\.\pipe\gecko-crash-server-pipe.924" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
US 8.8.8.8:53 100.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:60423 tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 accounts.google.com udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net udp
US 34.149.97.1:443 firefox-api-proxy.cdn.mozilla.net tcp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.ads.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 84.102.250.142.in-addr.arpa udp
N/A 127.0.0.1:60425 tcp
US 8.8.8.8:53 139.54.240.44.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 accounts.youtube.com udp
NL 142.250.179.174:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
NL 142.250.179.174:443 www3.l.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
US 8.8.8.8:53 174.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:443 www.google.com udp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 ciscobinary.openh264.org udp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 a19.dscg10.akamai.net udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 201.181.244.35.in-addr.arpa udp
US 8.8.8.8:53 155.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 redirector.gvt1.com udp
NL 142.250.179.174:443 redirector.gvt1.com udp
US 8.8.8.8:53 r4---sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4---sn-4g5e6nsd.gvt1.com tcp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 r4.sn-4g5e6nsd.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 8.8.8.8:53 41.187.194.173.in-addr.arpa udp
US 8.8.8.8:53 prod.balrog.prod.cloudops.mozgcp.net udp
US 8.8.8.8:53 location.services.mozilla.com udp
US 8.8.8.8:53 firefox-settings-attachments.cdn.mozilla.net udp
US 35.190.72.216:443 location.services.mozilla.com udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.classify-client.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 attachments.prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 216.72.190.35.in-addr.arpa udp
NL 216.58.214.14:443 play.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.102.84:443 accounts.google.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2924-0-0x0000000000770000-0x0000000000C33000-memory.dmp

memory/2924-1-0x00000000774E4000-0x00000000774E6000-memory.dmp

memory/2924-2-0x0000000000771000-0x000000000079F000-memory.dmp

memory/2924-3-0x0000000000770000-0x0000000000C33000-memory.dmp

memory/2924-4-0x0000000000770000-0x0000000000C33000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f8348bd316750a70f9c1f56eb9d4c700
SHA1 5166b30fc5b622863e4edb83ef13905dff6e5295
SHA256 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b
SHA512 1495d3e0961447ca074a61e493b14d03cdcbebfafd95ec29ad55721556a52457186801cf42597f1aa4a04400dd56ade7d151ec926301c6a0df9d55b3e25ee0ef

memory/5032-17-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/2924-16-0x0000000000770000-0x0000000000C33000-memory.dmp

memory/5032-21-0x0000000005630000-0x0000000005631000-memory.dmp

memory/5032-25-0x0000000005670000-0x0000000005671000-memory.dmp

memory/5032-24-0x0000000005620000-0x0000000005621000-memory.dmp

memory/5032-23-0x0000000005610000-0x0000000005611000-memory.dmp

memory/5032-22-0x0000000005680000-0x0000000005681000-memory.dmp

memory/5032-20-0x0000000005650000-0x0000000005651000-memory.dmp

memory/5032-19-0x0000000005640000-0x0000000005641000-memory.dmp

memory/5032-26-0x0000000000CB1000-0x0000000000CDF000-memory.dmp

memory/5032-27-0x0000000000CB0000-0x0000000001173000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\e5cf423e52.exe

MD5 0cd9988143ed0889f0ec75b9ce302cc1
SHA1 a85827b7497b66554f2f8bf86d044afec100eed0
SHA256 f40952c3693d14eb42a3785136841e3f3fd2f6f0336272e09860a7b93db1e59d
SHA512 715ae0560d5540494ef0e12e9750ad5e864aafc341584c660406c2158e881d38831d4a72d0a6300c634804a2d49e9bb8abd18ee3e9c6d587e029cd9da26fabb6

memory/4228-46-0x00000000730FE000-0x00000000730FF000-memory.dmp

memory/4228-47-0x0000000000FA0000-0x00000000010D0000-memory.dmp

memory/2328-49-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2328-51-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2328-53-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\a65be0d694.exe

MD5 c4e52e6c6a04afe8e1a0edb8fb8236a2
SHA1 e3d70bab8a8882ed26a5e5d206b50862a32a0112
SHA256 a4fcfe7074b0d307133c98530614d6de7f5e0fd27a64a00f30f7933583b63fa6
SHA512 3e89f085dd83274db01305ef8b66c481e202ba889125ae5d7f74aa09359f782557950d9d357cc54bf23a10e239e5b5760000ca2012f3b833e6481c6750d73478

memory/2636-72-0x00000000007E0000-0x0000000000818000-memory.dmp

memory/4920-74-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4920-76-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\13a21bf0df.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/4444-92-0x0000000000900000-0x0000000000B43000-memory.dmp

memory/4444-93-0x0000000000900000-0x0000000000B43000-memory.dmp

memory/5032-94-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-95-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5420-99-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-97-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-98-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5420-100-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-101-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-102-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-103-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-104-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-105-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-106-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5600-108-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5600-109-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-110-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-111-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-112-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-113-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-114-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/5032-115-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/2420-117-0x0000000000CB0000-0x0000000001173000-memory.dmp

memory/2420-118-0x0000000000CB0000-0x0000000001173000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-13 06:31

Reported

2024-08-13 06:34

Platform

win11-20240802-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe"

Signatures

Amadey

trojan amadey

Stealc

stealer stealc

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Wine C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\Software\Microsoft\Windows\CurrentVersion\Run\ce459c4bc6.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1000036001\\ce459c4bc6.exe" C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1468 set thread context of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 set thread context of 4736 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\explorti.job C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\1000037002\2f60e7fe05.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1000038001\a80d610d1a.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Mozilla Firefox\firefox.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz C:\Program Files\Mozilla Firefox\firefox.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Mozilla Firefox\firefox.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2464 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2464 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2464 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe
PID 2280 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe
PID 2280 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe
PID 2280 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe
PID 1468 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1468 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1468 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1468 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1468 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1468 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1468 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1468 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1468 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1468 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2280 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\2f60e7fe05.exe
PID 2280 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\2f60e7fe05.exe
PID 2280 wrote to memory of 868 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\1000037002\2f60e7fe05.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 3280 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4636 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4636 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4636 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 1604 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 1604 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 1604 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4736 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4736 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4736 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4736 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4736 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4736 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4736 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4736 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 868 wrote to memory of 4736 N/A C:\Users\Admin\1000037002\2f60e7fe05.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2280 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\a80d610d1a.exe
PID 2280 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\a80d610d1a.exe
PID 2280 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe C:\Users\Admin\AppData\Local\Temp\1000038001\a80d610d1a.exe
PID 2704 wrote to memory of 1464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 2704 wrote to memory of 1464 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1464 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1464 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1464 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1464 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1464 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1464 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1464 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1464 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1464 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1464 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 1464 wrote to memory of 768 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe
PID 768 wrote to memory of 3412 N/A C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\firefox.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe

"C:\Users\Admin\AppData\Local\Temp\b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b.exe"

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

"C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe"

C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe

"C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\1000037002\2f60e7fe05.exe

"C:\Users\Admin\1000037002\2f60e7fe05.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000038001\a80d610d1a.exe

"C:\Users\Admin\AppData\Local\Temp\1000038001\a80d610d1a.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com/ServiceLogin?service=accountsettings&continue=https://myaccount.google.com/signinoptions/password

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e8a2995-24ef-4278-96d5-223a45b0bd72} 768 "\\.\pipe\gecko-crash-server-pipe.768" gpu

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2396 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {851a5bc1-1289-43ad-aeef-92b9deb5a818} 768 "\\.\pipe\gecko-crash-server-pipe.768" socket

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3148 -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3088 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4db98f4-65e0-48b0-a8f3-fb253852eddb} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3884 -childID 2 -isForBrowser -prefsHandle 3876 -prefMapHandle 3872 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {423ca0fd-142b-40b9-a981-e66543354900} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4888 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4720 -prefMapHandle 4808 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef3eaa98-001d-48cc-9265-8c6a706c1175} 768 "\\.\pipe\gecko-crash-server-pipe.768" utility

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5588 -childID 3 -isForBrowser -prefsHandle 5580 -prefMapHandle 5568 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b32b092-a662-4098-a696-d2949f17d12d} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 4 -isForBrowser -prefsHandle 5840 -prefMapHandle 5580 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c0d13c3-33d8-4a54-9940-84ffacf1447e} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6064 -childID 5 -isForBrowser -prefsHandle 5980 -prefMapHandle 5984 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4937cd3-93e5-43d2-a7e4-aaac64117164} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6172 -childID 6 -isForBrowser -prefsHandle 6180 -prefMapHandle 6184 -prefsLen 27182 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2ef9ad01-27ad-4b3e-86a2-b736b63239e7} 768 "\\.\pipe\gecko-crash-server-pipe.768" tab

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

Network

Country Destination Domain Proto
RU 185.215.113.19:80 185.215.113.19 tcp
RU 185.215.113.16:80 185.215.113.16 tcp
US 8.8.8.8:53 19.113.215.185.in-addr.arpa udp
US 8.8.8.8:53 16.113.215.185.in-addr.arpa udp
RU 185.215.113.100:80 185.215.113.100 tcp
RU 185.215.113.100:80 185.215.113.100 tcp
N/A 127.0.0.1:49848 tcp
US 8.8.8.8:53 spocs.getpocket.com udp
US 8.8.8.8:53 firefox-api-proxy.cdn.mozilla.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com tcp
NL 142.250.102.84:443 accounts.google.com tcp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net udp
US 34.117.188.166:443 prod.ads.prod.webservices.mozgcp.net tcp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net udp
US 34.149.97.1:443 firefox-api-proxy-prod.pocket.prod.cloudops.mozgcp.net tcp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
NL 142.250.102.84:443 accounts.google.com udp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
NL 142.250.179.196:443 www.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 142.250.179.196:443 www.google.com udp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com tcp
NL 216.58.214.14:443 play.google.com udp
N/A 127.0.0.1:49855 tcp
GB 88.221.134.155:80 ciscobinary.openh264.org tcp
NL 142.250.179.174:443 redirector.gvt1.com tcp
NL 142.250.179.174:443 redirector.gvt1.com udp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com tcp
DE 173.194.187.41:443 r4.sn-4g5e6nsd.gvt1.com udp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 34.117.121.53:443 firefox-settings-attachments.cdn.mozilla.net tcp
US 35.190.72.216:443 prod.classify-client.prod.webservices.mozgcp.net udp
NL 216.58.214.14:443 play.google.com udp
NL 142.250.102.84:443 accounts.google.com udp

Files

memory/2464-0-0x00000000009D0000-0x0000000000E93000-memory.dmp

memory/2464-1-0x00000000774B6000-0x00000000774B8000-memory.dmp

memory/2464-2-0x00000000009D1000-0x00000000009FF000-memory.dmp

memory/2464-3-0x00000000009D0000-0x0000000000E93000-memory.dmp

memory/2464-4-0x00000000009D0000-0x0000000000E93000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0d8f5eb8a7\explorti.exe

MD5 f8348bd316750a70f9c1f56eb9d4c700
SHA1 5166b30fc5b622863e4edb83ef13905dff6e5295
SHA256 b0f8cebacc784a4a056d2754a3a0fe692a9da634327439de3f5a0fd06bbc7f9b
SHA512 1495d3e0961447ca074a61e493b14d03cdcbebfafd95ec29ad55721556a52457186801cf42597f1aa4a04400dd56ade7d151ec926301c6a0df9d55b3e25ee0ef

memory/2280-18-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2464-17-0x00000000009D0000-0x0000000000E93000-memory.dmp

memory/2280-19-0x0000000000D11000-0x0000000000D3F000-memory.dmp

memory/2280-20-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-21-0x0000000000D10000-0x00000000011D3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000036001\ce459c4bc6.exe

MD5 0cd9988143ed0889f0ec75b9ce302cc1
SHA1 a85827b7497b66554f2f8bf86d044afec100eed0
SHA256 f40952c3693d14eb42a3785136841e3f3fd2f6f0336272e09860a7b93db1e59d
SHA512 715ae0560d5540494ef0e12e9750ad5e864aafc341584c660406c2158e881d38831d4a72d0a6300c634804a2d49e9bb8abd18ee3e9c6d587e029cd9da26fabb6

memory/1468-40-0x0000000072E7E000-0x0000000072E7F000-memory.dmp

memory/1468-41-0x00000000002B0000-0x00000000003E0000-memory.dmp

memory/2704-43-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2704-45-0x0000000000400000-0x000000000052D000-memory.dmp

memory/2704-47-0x0000000000400000-0x000000000052D000-memory.dmp

C:\Users\Admin\1000037002\2f60e7fe05.exe

MD5 c4e52e6c6a04afe8e1a0edb8fb8236a2
SHA1 e3d70bab8a8882ed26a5e5d206b50862a32a0112
SHA256 a4fcfe7074b0d307133c98530614d6de7f5e0fd27a64a00f30f7933583b63fa6
SHA512 3e89f085dd83274db01305ef8b66c481e202ba889125ae5d7f74aa09359f782557950d9d357cc54bf23a10e239e5b5760000ca2012f3b833e6481c6750d73478

memory/868-66-0x0000000000E20000-0x0000000000E58000-memory.dmp

memory/4736-68-0x0000000000400000-0x0000000000643000-memory.dmp

memory/4736-70-0x0000000000400000-0x0000000000643000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000038001\a80d610d1a.exe

MD5 278ee1426274818874556aa18fd02e3a
SHA1 185a2761330024dec52134df2c8388c461451acb
SHA256 37257ddb1a6f309a6e9d147b5fc2551a9cae3a0e52b191b18d9465bfcb5c18eb
SHA512 07ec6759af5b9a00d8371b9fd9b723012dd0a1614cfcc7cd51975a004f69ffb90083735e9a871a2aa0e8d28799beac53a4748f55f4dd1e7495bc7388ebf4d6a0

memory/3012-86-0x00000000007B0000-0x00000000009F3000-memory.dmp

memory/3012-87-0x00000000007B0000-0x00000000009F3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\fb20e9a9-1863-49d8-9da3-6fc82c45a3e6

MD5 a0f6a08e08edcf560e95e91f4c04cb09
SHA1 230fbe332662512a3c11b46288ffa8a389bf730c
SHA256 fb20534ff410e42e183250a9c52554197d7b9868904be3efe7093a8180cf9adc
SHA512 f1f70abe428b52273a5e36661e6ba6a1e027d01553901bbebb071092e66777fb14821d6100c93dc4d167be2d2ffb90c926b457243489b38dcd13488915f9eb04

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\1847afb5-be48-44f2-b727-7f2995f8768b

MD5 a3192142b750560878c646384f93f576
SHA1 ed3adbbe4d2261a566f9a6987fa82c69b256343a
SHA256 3f64d0c4096fedf3f0deecc2eb5b70ac68e831eb6122af113d0644a87bf7c9c2
SHA512 f94ea0bda28036e42c7108106db694eb0d586bf4fb3199d46f39b4f3e068ff7e5960424a38c308d203da4b6eedb7f363c71a75ae78a7ec1f20016c08864f3718

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\pending_pings\1778c38a-1903-41f3-b890-7f1eca894774

MD5 d4d441b19d98362cc5ea64623d0a5be9
SHA1 327961c0942a4fa3a02e6c6d2d9c993bf3f2071e
SHA256 277b9aca1736d4cdb712930746cfe2d83896db5a71d456f4feee0213dc8d3c3a
SHA512 5f91f0c7e2c77ff38dbe3a371e642d3aabb9a078ef8cc3274b8d2d80cba5bfc892c8ac0b6a6d3a1e4db0e29765e9d0605236c9ffd5dfd94a1487c625e0e8e9bb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 eab136bf974827cd5675dd3e25b2a029
SHA1 fc414b26bcc65cabb05d68a7cab0aa7a60123a36
SHA256 cce3d2d208808676fd2e5bb424a68e7f33912917dee73336c1ef34b67f8c26de
SHA512 054dcb9abc0228832ac3e707336ca22dadf0f6f052b6549f3a3077475349c5328bdaf34fd2d703cfb9c987da7a9afbd10d860cbe169a74a1a8af44cea232d94d

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\activity-stream.discovery_stream.json

MD5 c10a4782681868c7ff870e9c3b9b7713
SHA1 17c4865ba91291de8ec5ca50f0e49901df7825fa
SHA256 96e17683989d7eb483d3e3dc05f17342fd65e725aaf2ccce13601c46ebf7eddf
SHA512 1065d895f2950b2fff334f812bb70b17574909155a158fcf9d454ff69d7adafc3111d1ffc777b9d4a6d525b615f46860703a01f7b30cb529759aeb407b3a13ea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\AlternateServices.bin

MD5 b7677e8447e0570307bbaaf2a997d679
SHA1 fc863155c44b484d14e9df1146abd096af4348c2
SHA256 a43cf93cd9126e36ca71b3b85463c922f76e59af84365bfea51dfde43f874d24
SHA512 f08a45fb4296511d1451624158452d7a01c45c740f3ff6a0a20aadd7a0c3ffa65cff67beca97555d44b56052d3ec87486d62ad003acafd0ce1d69fffe3588dbb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs.js

MD5 47765b81c58279c4afaca3c6ad9b79a5
SHA1 5b79e8353706fbd6067a7f2e9b51c68ec7bf1d28
SHA256 d57a4dee0a01c64144296b0531a0d60238d420a5d4d2a25aa74633d9ff4afe5e
SHA512 192070bdab6fc62002ba0d08c7d147ce214f5ea92d8df28308eb8974f2727c15661e253f0424e9e07b4be71fea6d9b2baf89276763d427a01c0d77b73f6353e8

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 8c347ad989aaad864c9ab3a954eedbf7
SHA1 4114617cf63440e4804e0ac0f4428b93018476c3
SHA256 77a20fae480ae389193419eb23dafb4682418907fbabc8102d8bfd4efc6a7236
SHA512 a4630e912a64b189ac9decf4daecbfbda40b1338f193399683d0d92f1c836ab1ba0668ab69d9214f79ce87d529ad6bfc06a02eb85c9cc6c948b5a42645bdd85c

memory/2280-435-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-443-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-452-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-453-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-454-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/4052-456-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/4052-461-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-462-0x0000000000D10000-0x00000000011D3000-memory.dmp

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 68ef8bc227a4be86621c7e18c7a97251
SHA1 bf0ca1eb9ffe2fc16d7b0237915f0933ea7b85db
SHA256 1c8041cd22858ad8b75a2374743744c64c62febf2111f3d0236c9d8477fef488
SHA512 e06ff42b2f61214fff67ed6cd9ccc51ec7008131fc0e758d1ac1bafc4d247f8cd577ffa31b37b7353a408ba627856871e5e482f889af7104c755bc68e059187f

C:\Users\Admin\AppData\Local\Temp\tmpaddon

MD5 09372174e83dbbf696ee732fd2e875bb
SHA1 ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256 c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512 b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

MD5 842039753bf41fa5e11b3a1383061a87
SHA1 3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256 d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512 d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

MD5 2a461e9eb87fd1955cea740a3444ee7a
SHA1 b10755914c713f5a4677494dbe8a686ed458c3c5
SHA256 4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA512 34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\cache2\entries\E449899591A9BC91DFBA673EC0589B51E541A88B

MD5 15dd135905bd72d93434d06d98e3fdbe
SHA1 3a4514cbb8fcded7e368bb1afaaad0f4665d660b
SHA256 6d0ca7d9846d06d33b5bcad3b55fe32a36966ad6c12f2dd89144060f1fdf12d2
SHA512 5f3cbfa7cb562da480ef054dc3138419c7916bbaa8485ccb83ee8683b6f6b0d87eb99f67385da08be2b97a6164f667d945a4ed2b04cce0b50ea0f0a0a1a464f3

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\prefs-1.js

MD5 dfd9f763b9c3f9381bd2113a2c19cb2f
SHA1 4710212f5e6071d4f7b0033a7a2446e3714dccdf
SHA256 14c8e7af34a79f6563a17598715e58695689698067936659aa3d1b27e3cf172b
SHA512 81ff1bd8f831b04ed2a2ef85155db48eb95ff5d8845fedff57d22faf80816b96ecbc0c9365571e6a04c5d222b97672607e59e865c243cf9cc2dc0072468896c2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 ab72d39480bdcfabd8464d4f52d3f849
SHA1 feb02b4991461bd1351c77d3b814a95738b3a809
SHA256 e249c5c8a9bde846388984df76487f34f4a412dc05c267126cae91b489e1e5c2
SHA512 00e0a85f1f5ca7e0ce639df9f120a1c852996c553306aa974bf6427ff9f415f60458f55ddcf5dc1c68a6c084f2fded2a296e527462dbe281af9f4d888c78d389

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\datareporting\glean\db\data.safe.tmp

MD5 975d07e246737e51a3f45730f24f7dd6
SHA1 cb59295ae9d53f8fc5d06075d39c62ac4bc9e170
SHA256 3ed602c385f12c60fe4f5c32484f29ee8cf4762ade5a8c36c3f2b3294b648db9
SHA512 f8f079ee40a967ef8d686981e6f62b72e6a7a083963dea0cb3e544701d6678ce7d16385d21d9c6027a248c648287569ceba662b1ba285d9e724eb8e5c827da1d

C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

MD5 0a8747a2ac9ac08ae9508f36c6d75692
SHA1 b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA256 32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA512 59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

MD5 bf957ad58b55f64219ab3f793e374316
SHA1 a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256 bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA512 79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybdgtqfi.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

MD5 daf7ef3acccab478aaa7d6dc1c60f865
SHA1 f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256 bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA512 5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

memory/2280-1934-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-2803-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-2806-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-2812-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-2814-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/5404-2816-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/5404-2817-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-2818-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-2819-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-2820-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-2821-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-2827-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/2280-2828-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/1584-2830-0x0000000000D10000-0x00000000011D3000-memory.dmp

memory/1584-2831-0x0000000000D10000-0x00000000011D3000-memory.dmp